Analysis
-
max time kernel
161s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12-02-2022 05:38
Static task
static1
Behavioral task
behavioral1
Sample
122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe
Resource
win10v2004-en-20220112
General
-
Target
122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe
-
Size
58KB
-
MD5
7166a7c568522324d74e16e4efa0a3ca
-
SHA1
903c381a1ca3a24fc2d72a4da9233cc5654b09b3
-
SHA256
122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313
-
SHA512
6a0c08bcbb275a0dd1b2a1c1af456b426c97c18d6e3df72d7c1c94718e4ee3971a3cf45d8f7110c463761886c4c5d51c4d2088f5dad83e0aed32933de2028c28
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 3464 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 48 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4208" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132892943514820871" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.612907" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4096" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exe122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exedescription pid process Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeIncBasePriorityPrivilege 3944 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe Token: SeBackupPrivilege 3528 TiWorker.exe Token: SeRestorePrivilege 3528 TiWorker.exe Token: SeSecurityPrivilege 3528 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.execmd.exedescription pid process target process PID 3944 wrote to memory of 3464 3944 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe MediaCenter.exe PID 3944 wrote to memory of 3464 3944 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe MediaCenter.exe PID 3944 wrote to memory of 3464 3944 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe MediaCenter.exe PID 3944 wrote to memory of 3836 3944 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe cmd.exe PID 3944 wrote to memory of 3836 3944 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe cmd.exe PID 3944 wrote to memory of 3836 3944 122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe cmd.exe PID 3836 wrote to memory of 3600 3836 cmd.exe PING.EXE PID 3836 wrote to memory of 3600 3836 cmd.exe PING.EXE PID 3836 wrote to memory of 3600 3836 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe"C:\Users\Admin\AppData\Local\Temp\122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\122ce0419c3580eecb97bcb6f9733cf6003b4c95df1c104c9d607d72cbb09313.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3600
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:392
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d23242daa884be8410e42e645f63c7c6
SHA155d06fae51a0e2a5cb662845acebd250bc878bdd
SHA2564598e6b7c42dec3a97bee8a5831fd24f1d32af12ab7a65912d77c770e41b587b
SHA51206277b1822ae777e1634957fe67dbadd5ae41911d5a4f77772a6874554c767bf05e22b5ee0e764311d2bed5ecc17aaeba442a4b66ac230ff4f5fddb1594ac85c
-
MD5
d23242daa884be8410e42e645f63c7c6
SHA155d06fae51a0e2a5cb662845acebd250bc878bdd
SHA2564598e6b7c42dec3a97bee8a5831fd24f1d32af12ab7a65912d77c770e41b587b
SHA51206277b1822ae777e1634957fe67dbadd5ae41911d5a4f77772a6874554c767bf05e22b5ee0e764311d2bed5ecc17aaeba442a4b66ac230ff4f5fddb1594ac85c